Table of Contents

• Title and Copyright Information
• Preface
  • Documentation Accessibility
  • Conventions
• 1 Introduction and Roadmap
  • Document Scope
  • Documentation Audience
  • Guide to this Document
  • Related Information
  • New and Changed Features in this Release
• 2 Introduction to Developing Security Providers for WebLogic Server
  • Prerequisites for This Guide
  • Overview of the Development Process
    • Designing the Custom Security Provider
    • Creating Runtime Classes for the Custom Security Provider by Implementing SSPIs
    • Generating an MBean Type to Configure and Manage the Custom Security Provider
    • Writing Console Extensions
    • Configuring the Custom Security Provider
    • Providing Management Mechanisms for Security Policies, Security Roles, and Credential Maps
• 3 Design Considerations
  • General Architecture of a Security Provider
  • Security Services Provider Interfaces (SSPIs)
    • Understand Two Important Restrictions
    • Understand the Purpose of the "Provider" SSPIs
    • Understand the Purpose of the Bulk Access Providers
    • Determine Which "Provider" Interface You Will Implement
    • Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes
    • SSPI Quick Reference
  • Security Service Provider Interface (SSPI) MBeans
    • Understand Why You Need an MBean Type
    • Determine Which SSPI MBeans to Extend and Implement
    • Understand the Basic Elements of an MBean Definition File (MDF)
    • Understand the SSPI MBean Hierarchy and How It Affects the Administration Console
    • Understand What the WebLogic MBeanMaker Provides
    • SSPI MBean Quick Reference
  • Security Data Migration
    • Migration Concepts
    • Adding Migration Support to Your Custom Security Providers
    • Administration Console Support for Security Data Migration
  • Management Utilities Available to Developers of Security Providers
  • Security Providers and WebLogic Resources
    • The Architecture of WebLogic Resources
    • Types of WebLogic Resources
    • WebLogic Resource Identifiers
    • Creating Default Groups for WebLogic Resources
    • Creating Default Security Roles for WebLogic Resources
    • Creating Default Security Policies for WebLogic Resources
    • Looking Up WebLogic Resources in a Security Provider's Runtime Class
    • Single-Parent Resource Hierarchies
    • ContextHandlers and WebLogic Resources
  • Initialization of the Security Provider Database
    • Best Practice: Create a Simple Database If None Exists
    • Best Practice: Configure an Existing Database
    • Best Practice: Delegate Database Initialization
    • Best Practice: Use the JDBC Connection Security Service API to Obtain Database Connections
  • Differences In Attribute Validators
    • Differences In Attribute Validators for Custom Validators
• 4 Authentication Providers
  • Authentication Concepts
    • Users and Groups, Principals and Subjects
    • LoginModules
    • Java Authentication and Authorization Service (JAAS)
  • The Authentication Process
  • Do You Need to Develop a Custom Authentication Provider?
  • How to Develop a Custom Authentication Provider
    • Create Runtime Classes Using the Appropriate SSPIs
    • Generate an MBean Type Using the WebLogic MBeanMaker
    • Configure the Custom Authentication Provider Using the Administration Console
• 5 Identity Assertion Providers
  • Identity Assertion Concepts
    • Identity Assertion Providers and LoginModules
    • Identity Assertion and Tokens
    • Passing Tokens for Perimeter Authentication
    • Common Secure Interoperability Version 2 (CSIv2)
  • The Identity Assertion Process
  • Do You Need to Develop a Custom Identity Assertion Provider?
  • How to Develop a Custom Identity Assertion Provider
    • Create Runtime Classes Using the Appropriate SSPIs
    • Generate an MBean Type Using the WebLogic MBeanMaker
    • Configure the Custom Identity Assertion Provider Using the Administration Console
    • Challenge Identity Assertion
• 6 Principal Validation Providers
  • Principal Validation Concepts
    • Principal Validation and Principal Types
    • How Principal Validation Providers Differ From Other Types of Security Providers
    • Security Exceptions Resulting from Invalid Principals
  • The Principal Validation Process
  • Do You Need to Develop a Custom Principal Validation Provider?
    • How to Use the WebLogic Principal Validation Provider
  • How to Develop a Custom Principal Validation Provider
    • Implement the PrincipalValidator SSPI
• 7 Authorization Providers
  • Authorization Concepts
    • Access Decisions
    • Using the Java Authorization Contract for Containers
  • The Authorization Process
  • Do You Need to Develop a Custom Authorization Provider?
    • Does Your Custom Authorization Provider Need to Support Application Versioning?
  • Is Your Custom Authorization Provider Thread Safe?
  • How to Develop a Custom Authorization Provider
    • Create Runtime Classes Using the Appropriate SSPIs
    • Policy Consumer SSPI
    • PolicyStoreMBean
    • Bulk Authorization Providers
    • Generate an MBean Type Using the WebLogic MBeanMaker
    • Configure the Custom Authorization Provider Using the Administration Console
    • Provide a Mechanism for Security Policy Management
• 8 Adjudication Providers
  • The Adjudication Process
  • Do You Need to Develop a Custom Adjudication Provider?
  • How to Develop a Custom Adjudication Provider
    • Create Runtime Classes Using the Appropriate SSPIs
    • Bulk Adjudication Providers
    • Generate an MBean Type Using the WebLogic MBeanMaker
    • Configure the Custom Adjudication Provider Using the Administration Console
• 9 Role Mapping Providers
  • Role Mapping Concepts
    • Security Roles
    • Dynamic Security Role Computation
  • The Role Mapping Process
  • Is Your Custom Role Mapping Provider Thread Safe?
  • Do You Need to Develop a Custom Role Mapping Provider?
    • Does Your Custom Role Mapping Provider Need to Support Application Versioning?
  • How to Develop a Custom Role Mapping Provider
    • Create Runtime Classes Using the Appropriate SSPIs
    • Role Consumer SSPI
    • PolicyStoreMBean
    • Bulk Role Mapping Providers
    • Generate an MBean Type Using the WebLogic MBeanMaker
    • Configure the Custom Role Mapping Provider Using the Administration Console
    • Provide a Mechanism for Security Role Management
• 10 Auditing Providers
  • Auditing Concepts
    • Audit Channels
    • Auditing Events From Custom Security Providers
  • The Auditing Process
  • Implementing the ContextHandler MBean
    • ContextHandlerMBean Methods
    • Example: Implementing the ContextHandlerMBean
    • Extend weblogic.management.security.audit.ContextHandlerImpl
  • Do You Need to Develop a Custom Auditing Provider?
  • How to Develop a Custom Auditing Provider
    • Create Runtime Classes Using the Appropriate SSPIs
    • Generate an MBean Type Using the WebLogic MBeanMaker
    • Configure the Custom Auditing Provider Using the Administration Console
  • Security Framework Audit Events
    • Passing Additional Audit Information
    • Audit Event Interfaces and Audit Events
• 11 Credential Mapping Providers
  • Credential Mapping Concepts
  • The Credential Mapping Process
  • Do You Need to Develop a Custom Credential Mapping Provider?
    • Does Your Custom Credential Mapping Provider Need to Support Application Versioning?
  • How to Develop a Custom Credential Mapping Provider
    • Create Runtime Classes Using the Appropriate SSPIs
    • Generate an MBean Type Using the WebLogic MBeanMaker
    • Provide a Mechanism for Credential Map Management
• 12 Auditing Events From Custom Security Providers
  • Security Services and the Auditor Service
  • How to Audit From a Custom Security Provider
    • Create an Audit Event
    • Obtain and Use the Auditor Service to Write Audit Events
    • Best Practice: Posting Audit Events from a Provider's MBean
• 13 Servlet Authentication Filters
  • Authentication Filter Concepts
    • Why Filters are Needed
    • Servlet Authentication Filter Design Considerations
  • How Filters Are Invoked
    • Do Not Call Servlet Authentication Filters From Authentication Providers
  • Example of a Provider that Implements a Filter
  • How to Develop a Custom Servlet Authentication Filter
    • Create Runtime Classes Using the Appropriate SSPIs
    • Implement the Servlet Authentication Filter SSPI
    • Implement the Filter Interface Methods
    • Implementing Challenge Identity Assertion from a Filter
    • Generate an MBean Type Using the WebLogic MBeanMaker
    • Configure the Authentication Provider Using Administration Console
• 14 Versionable Application Providers
  • Versionable Application Concepts
  • The Versionable Application Process
  • Do You Need to Develop a Custom Versionable Application Provider?
  • How to Develop a Custom VersionableApplication Provider
    • Create Runtime Classes Using the Appropriate SSPIs
    • Generate an MBean Type Using the WebLogic MBeanMaker
    • Configure the Custom Versionable Application Provider Using the Administration Console
• 15 CertPath Providers
  • Certificate Lookup and Validation Concepts
    • The Certificate Lookup and Validation Process
    • Do You Need to Implement Separate CertPath Validators and Builders?
    • CertPath Provider SPI MBeans
    • WebLogic CertPath Validator SSPI
    • WebLogic CertPath Builder SSPI
    • Relationship Between the WebLogic Server CertPath SSPI and the JDK SPI
  • Do You Need to Develop a Custom CertPath Provider?
  • How to Develop a Custom CertPath Provider
    • Create Runtime Classes Using the Appropriate SSPIs
    • Generate an MBean Type Using the WebLogic MBeanMaker
    • Configure the Custom CertPath Provider Using the Administration Console
• A MBean Definition File (MDF) Element Syntax
  • The MBeanType (Root) Element
  • The MBeanAttribute Subelement
  • The MBeanConstructor Subelement
  • The MBeanOperation Subelement
  • MBean Operation Exceptions
  • Examples: Well-Formed and Valid MBean Definition Files (MDFs)